By Jonathan Thomas, Michael Lam, Svetlana Plotnikova
Moore Stephens Accountants
WHAT ARE THE IMPLICATIONS FOR BUSINESS?
1. The new regulations are enforceable
The OAIC has extended powers to enforce Australian privacy law. The Commissioner explained that the new regulations represent “a stronger, hard-edged, coercive regime, but the emphasis is still on conciliation.”
From March 2014, the OAIC will have the power to initiative investigations itself, and as a result of a consumer complaint. If conciliation isn’t possible, the OAIC will be able to have organisations make an undertaking to improve their systems for collecting, storing and using personal information. If they don’t, the OAIC will be able to pursue legal action and seek financial penalties from those organisations.
Case study: Penalties for Google
Google was fined in Spain and France for downloading individuals’ personal data from unsecured wifi networks through its Street View service, while United States regulators required it to make an undertaking about its conduct over the ensuing two years. The new Australian laws give the OAIC extended powers to apply similar penalties to organisations operating here.
2. Businesses need to obtain consent—and abide by it
Businesses may only use personally identifiable information for the purposes approved by the individual who provided it.
Case study: Preempting additional uses
Payroll can’t share employees’ bank details with accounts payable for reimbursement purposes. One solution is to obtain the sharing consent required by the organisation at the point of data collection.
“The Principles also require you to tell people how they’ll be adversely affected if they don’t consent to data sharing,” the Commissioner said.
3. The law isn’t retrospective, but it does apply to the data you’ve already collected
The new laws don’t apply to the collection of data in the past. But they do apply to the way you store, secure, and use that data now and in the future. The regulations also require you to keep it up to date and complete.
Case study: Making staff information available to clients
A global business presenting personal information on staff members to potential clients may need to obtain consent from staff members to reuse their personal (or profile) information for this purpose, even if that information was collected before the new laws come into effect, or the staff members are located overseas.
4. Emerging technologies present fresh compliance challenges
New technologies present new hurdles for regional or national legislation like the APPs.
Case study: Destination—Cloud
Attendees flagged that they might store data in cloud services to share with colleagues, but that they don’t have any idea where the service is hosted or the data is stored.
“The Australian privacy laws follow the information wherever it goes,” the Commissioner said.
“If you’re collecting personal information in Australia and sending it overseas, you’re subject to the Australian Privacy Act wherever you send that information, unless the country you send it to has a comparable law for privacy.”
He commented that the United States, for example, does not have a comparable law. But he also explained that the Australian laws apply to all Australian businesses with a turnover of 3 million or more, so Australian-based cloud service providers are required to abide by the new laws, too.
WHAT CAN YOU DO?
Businesses should reassess their existing privacy policies, procedures and systems to ensure they’re adequate to meet the new changes.
“You have to get on top of the privacy principles,” the Commissioner said. “Do a privacy impact assessment.”
He suggested business focus on questions including:
- What is the personal information on our systems?
- Can we identify it?
- How’s it being used and stored?
- Who are we giving it to?
“It’s not simple,” he added, “but it can be straightforward.”
LEGISLATIVE IMPLICATIONS FOR INDIVIDUALS
- The seminar also highlighted some of the ways the new legislation will affect individuals.
- Be aware that your personal information can be used for purposes beyond those to which you’ve consented, so long as it’s de-identified.
- Even something as simple as an email address may be personally identifying, although generic email addresses usually aren’t personally identifying.
- You are permitted by the new laws to interact with organisations anonymously or under a pseudonym as far as is practical.
- If an associate gives you their business card, they’re obviously consenting to you having that information. But they’re not consenting to you aggregating that information and selling the database to others, for example.
What are you doing about it in your business?